How anti-virus software can be turned into a tool for spying

By Nicole Perlroth, NEW YORK TIMES

January 1, 2018

Photo: Leah Millis, Staff

Eugene Kaspersky Chief Executive Officer and Chairman of Kaspersky Lab answers a question during the panel discussion on "Defending against Targeted Attacks in the Age of Cyber-Espionage" during Kaspersky Lab's annual CyberSecurity Summit called "The State of Enterprise IT Security" April 15, 2014 at the St. Regis Hotel in San Francisco, Calif. The event started off with a keynote address from Tom Ridge, former U.S. Homeland Security secretary, and then held a panel discussion on "Defending against Targeted Attacks in the Age of Cyber-Espionage" and continued with various speakers throughout the day.

Eugene Kaspersky Chief Executive Officer and Chairman of Kaspersky...

It has been a secret, long known to intelligence agencies but rarely to consumers, that security software can be a powerful spy tool.

Security software runs closest to the bare metal of a computer, with privileged access to nearly every program, application, web browser, email and file. There is good reason for this: Security products are intended to evaluate everything that touches your machine in search of anything malicious, or even vaguely suspicious.

By downloading security software, consumers also run the risk that an untrustworthy anti-virus maker - or hacker or spy with a foothold in its systems - could abuse that deep access to track customers' every digital movement.

"In the battle against malicious code, anti-virus products are a staple," said Patrick Wardle, chief research officer at Digita Security, a security company. "Ironically, though, these products share many characteristics with the advanced cyberespionage collection implants they seek to detect."

Translator

To read this article in one of Houston's most-spoken languages, click on the button below.

Wardle would know. A former hacker at the National Security Agency, Wardle recently succeeded in subverting anti-virus software sold by Kaspersky Lab, turning it into a powerful search tool for classified documents.

Wardle's curiosity was piqued by recent news that Russian spies had used Kaspersky anti-virus products to siphon classified documents off the home computer of an NSA developer, and may have played a critical role in broader Russian intelligence gathering.

For years, intelligence agencies suspected that Kaspersky Lab's security products provided a back door for Russian intelligence. A draft of a top-secret report leaked by Edward Snowden, the former NSA contractor, described a top-secret, NSA effort in 2008 that concluded that Kaspersky's software collected sensitive information off customers' machines.

At the NSA, analysts were barred from using Kaspersky anti-virus software because of the risk it would give the Kremlin broad access to their machines and data. But excluding NSA headquarters at Fort Meade, Kaspersky still managed to secure contracts with nearly two dozen U.S. government agencies over the past few years.

In September, the Department of Homeland Security ordered all federal agencies to cease using Kaspersky products because of the threat the products could "provide access to files."

In October, the New York Times reported that the Homeland Security directive was based, in large part, on intelligence shared by Israeli intelligence officials who successfully hacked Kaspersky Lab in 2014. They looked on for months as Russian government hackers scanned computers belonging to Kaspersky customers around the world for top secret U.S. government classified programs.

Kaspersky continues to deny that it knew about the scanning for classified U.S. programs or allowed its anti-virus products to be used by Russian intelligence. Eugene Kaspersky, the company's CEO, has said he would allow the U.S. government to inspect his company's source code to allay distrust of its anti-virus and cybersecurity products.

But Wardle discovered, in reverse-engineering Kaspersky anti-virus software, that a simple review of its source code would do nothing to prove its products had not been used as a Russian intelligence-gathering tool.

Unlike traditional anti-virus software, which uses digital "signatures" to look for malicious code and patterns of activity, Kaspersky's signatures are easily updated, can be automatically pushed out to certain clients, and contain code that can be tweaked to do things such as automatically scanning for and siphoning off classified documents.

In short, Wardle found, "Anti-virus could be the ultimate cyberespionage spying tool."